Internet protocol telephony security architecture

ABSTRACT

A system is provided in which a client/server/network can implement a key management session when the server initiates the key management session utilizing a nonce. The nonce allows a wakeup or trigger message to be conveyed to the client such that a service attack on the server can be avoided when a false nonce is received by the server with an AP request message. Thus the server can disregard AP request messages that are not accompanied by a nonce stored by the server. The method can be implemented through circuitry, electrical signals and code to accomplish the acts described in the method.

This application claims priority from co-pending PCT Application No.PCT/US00/09318 filed on Apr. 7, 2000 entitled, “Built-in Manufacturer'sCertificates for a Cable Telephony Adapter to Provide Device and ServiceCertification,” which claims priority from U.S. application Ser. No.60/128,772 entitled, “Internet Protocol Telephony Security Architecture”filed on Apr. 9, 1999, as well as PCT Application No. PCT/US00/02174filed on Jan. 28, 2000 entitled “Key Management for Telephone Calls toProtect Signaling and Call Packets Between CTA's,” all of which arehereby incorporated by reference for all that they disclose and for allpurposes.

BACKGROUND

This invention relates generally to network security, and moreparticularly, to a system for providing key management between a serverand a client, e.g., in a telephony or an IP telephony network.

In networks that are based on a client/server configuration, there is aneed to establish a secure channel between the server and the clients.In addition, in networks that utilize a third party to certify a trustrelationship, there is a need to provide an efficient mechanism thatallows a key management message to be initiated by the server. In suchnetworks that utilize a trusted third party for the server and client,the client can typically request an encrypted authentication token fromthe trusted third party that can be used to initiate key management withthe specified server; however, the server will typically initiate thekey management session directly with the client. It is less preferablefor the server to obtain from the trusted third party encryptedauthentication tokens for each of the clients. Such an approach wouldadd overhead to a server, requiring it to maintain cryptographic statefor each of the clients. If such a server were to fail, a backup serverwould be required to undergo a recovery procedure in which it has toobtain new authentication tokens for each of the clients. The clientsneed to be initialized during their provisioning phase to allow them tosuccessfully authenticate to a trusted third party and obtain theencrypted authentication tokens. One proposed method for clientinitialization is disclosed in PCT Application No. PCT/US00/09318entitled “BUILT-IN MANUFACTURER'S CERTIFICATES FOR A CABLE TELEPHONYADAPTER TO PROVIDE DEVICE AND SERVICE CERTIFICATION.” Nevertheless, aneed exists to provide an efficient mechanism through which the servercan initiate the key management session with the client, as opposed to asystem in which only the client can initiate such a session.

One such client/server network is the client/server network that existsin IP telephony. In IP telephony systems, a cable telephony adapter(CTA) device can be used to allow a user to send and receive informationin secure transactions over an IP telephony network. In typicaloperation, a series of signaling messages are exchanged that registerthe CTA device with the IP telephony network before a secure channelwith another user can be established. Therefore, the CTA device needs tobe authenticated by the IP telephony system. Otherwise, the processwould be open to denial of service attacks—since some provisioningexchanges can be forged. In addition, it is desirable for the serviceprovider to identify the CTA device—to make sure that only authorizeddevices are allowed in its IP Telephony network.

SUMMARY OF THE INVENTION

One embodiment of the invention comprises a system for providing keymanagement in a client/server network. This embodiment of the inventionutilizes a method to provide key management by providing a server;providing a client configured to be coupled to the server; providing atrusted third party configured to be coupled to the client; and allowingthe server to initiate the key management session with the client.

One embodiment is operable as a method to generate a trigger message atthe server; generate a nonce at the server; and, convey the triggermessage and the nonce to the client. At the client, the client receivesthe trigger message and the nonce and responds by conveying a responsemessage with a return nonce. The server can then determine that theresponse message is valid by comparing the values of the returned_nonceand the nonce that was generated by the server.

In addition, one embodiment can be implemented in code and by circuitryoperable to produce the acts of the method.

A further understanding of the nature of the inventions disclosed hereinwill be realized by reference to the remaining portions of thespecification and the attached drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a flow chart demonstrating an overview of one embodiment ofthe invention.

FIGS. 2A and 2B show a more detailed flow chart demonstrating a keymanagement session between a server and a client.

FIG. 3 shows steps of a key management session after the key managementsession is initiated.

FIG. 4 shows a general block diagram of a client/server/trusted thirdparty network.

FIG. 5 shows a block diagram of an IP telephony network in which a cabletelephony adapter, a signaling controller, and a key distribution centerare coupled with one another.

FIG. 6 shows the implementation of the data structures for establishinga key management session as implemented by one embodiment of theinvention.

DESCRIPTION OF THE SPECIFIC EMBODIMENTS

FIG. 1 shows a flow chart demonstrating an overview of one embodiment ofthe invention. In flow chart 100, a server is provided 104 and a clientcoupled to the server is also provided 108. A trusted third party forthe server and the client is provided 112 and the server is allowed toinitiate a key management session with the client by utilizing a nonce116.

It should be understood that a server is a shared computer on a network,such as a signaling controller used in an IP telephony network.Furthermore, it should be understood that a client is a computer ordevice served by another network computing device, such as a cabletelephony adapter (client) being served by a signaling controller(server) via an IP telephony system. In addition, it should beunderstood that a trusted third party for the server and the client is adevice or computer utilized by at least two parties that facilitatescryptographic processes such as certifying the identity of one of thetwo parties to the other. Finally, it should be understood that a nonceis a number generated that is utilized only once. The use of a noncehelps to prevent an attacker from implementing a replay attack. Such anonce can be generated randomly.

The method of FIG. 1 can be better understood by reference to FIG. 2Aand FIG. 2B. In the method designated 200 in FIG. 2A and FIG. 2B, aserver such as a signaling controller in an IP telephony system isprovided 204. In addition, a client such as a cable telephony adapter inan IP telephony system is also provided 208. A trusted third party forthe client and server, such as a key distribution center in an IPtelephony system, is provided 212, as well. The server, client, andtrusted third party are coupled to one another. Typically, the clientinitiates key management sessions with the server. However, there willbe times when the server will need to initiate a key management sessionwith the client. Rather than authenticating the trigger message (e.g.with a digital signature and certificate), the invention can utilize anonce in the authentication of the subsequent AP Request message fromthe client. This embodiment of the invention does not prevent anadversary (impersonating a legitimate server) from sending an illicittrigger message to the client and fooling it into responding with an APRequest. Instead it provides that such an AP Request will be rejected bythe legitimate server. This mechanism is designed to reduce the server'soverhead of initiating key management exchanges with its clients, whilestill maintaining sufficient security. Thus, in 216 a trigger message isgenerated at the server to initiate a key management session. Then, anonce is generated at the server 220 and the nonce and trigger messageare coupled together and conveyed to the client 224. The client receivesthe trigger message and the nonce 228. Then the client designates thenonce as a returned_nonce 232. In this way, the client can return thereceived nonce to the server for verification that the message is fromthe client. In 236, a second nonce is generated at the client. Thesecond nonce is for use by the server and client as part of the keymanagement session being initiated. The client generates a responsemessage to the trigger message that was received from the server 240.Then the response message, the returned_nonce, and the second nonce areconveyed to the server 244.

At the server, the value of the returned_nonce is compared to the valueof the nonce which was generated at the server. If the values of thereturned_nonce and the nonce stored at the server are equivalent, thekey management session can proceed. However, if the value of thereturned_nonce does not equal the value of the nonce stored at theserver then a determination is made that the returned_nonce is actuallya false nonce 252. In such a case there is a possibility that the signalhas been corrupted; or, there is a possibility that an attacker istrying to initiate a service attack. In a service attack, the attackertries to fraudulently initiate a rekeying session in order to cause theserver to utilize processor cycles which prevent the processor fromutilizing those cycles for other operations. Thus the server wouldbecome less effective under such an attack than it would be under normalconditions. By repeating such an attack, an attacker can prevent theserver from operating efficiently and thus can compromise the operationof the client server network, such as an IP telephony network. If thereturned_nonce is determined to be not equivalent to the value of thenonce stored at the server, the response message sent with thereturned_nonce is disregarded as being unauthenticated 256. However, ifthe returned_nonce does equal the value of the nonce stored at theserver, then the key management session continues 260.

FIG. 3 shows additional steps in a typical key management session ashighlighted by block 260 in FIG. 2B. In FIG. 3, method 300 shows that anapplication (AP) REPLY is generated 364 by the server. The AP REPLY isconveyed to the client with the second nonce that was generated by theclient 368. The AP Request is an abbreviation for Application Requestand AP Reply stands for Application Reply. For example, these twomessages can be specified by the Kerberos Key Management standard (seeIETF RFC 1510). As a further example, in the context of Kerberos, thesecond notice can be the client's time expressed in microseconds. Whenthe AP REPLY and second nonce are received at the client, the clienttransmits a security association (SA) recovered message to the server372. This completes the applicable Kerberos key management session.

FIG. 4 shows a block diagram of a client/server/trusted third partynetwork. A client 401 is coupled with a server 402. In addition, theclient is coupled with a trusted third party 404. The trusted thirdparty is also coupled with the server 402. FIG. 4 thus demonstrates thenetwork within which one embodiment of the invention can be implemented.

In FIG. 5 an IP telephony network implementing one embodiment of theinvention is demonstrated. A client such as a cable telephony adapter501 is coupled with a server, such as signaling controller 502.Furthermore, the cable telephony adapter and signaling controller arealso coupled to a trusted third party, illustrated as key distributioncenter 504. Furthermore the signaling controller is coupled with the IPtelephony network 508. Such a network as that illustrated in FIG. 5would be useful for establishing an IP telephony call from a user who iscoupled to the cable telephony adapter through the IP telephony network508 to another user connected to a similar network. Thus the user can beauthenticated as the calling party through the cable telephony adapterand signaling controller when the call is placed across the IP telephonynetwork. Further details of such a network are illustrated in thereferences which were incorporated by reference.

FIG. 6 illustrates data structures for implementing a Kerberos keymanagement session initiated by a server in a client/server network. InFIG. 6 a nonce number 1 is coupled with an initiation signal such as atrigger or wakeup message and the combined message is transmitted acrossan interface 601 to the client. The client stores nonce number 1. Itthen adds nonce number 2 and an application request in data structuresuch as that shown in FIG. 6. This set of data is then transmittedacross the interface back to the server. The server compares the valueof received nonce number 1 with the value of nonce number 1 stored atthe server so as to confirm the authenticity of the AP Request. Uponauthenticating the AP Request, the server generates an AP Reply andcouples it with nonce number 2 which was generated by the client. Thecombined nonce number 2 and AP Reply are then transmitted across theinterface to the client. The client is able to verify the authenticityof the AP Reply by comparing the value of nonce number 2 received fromthe server with the value of nonce number 2 stored at the client. Uponauthenticating the AP Reply, the client generates a Security Association(SA) recovered message and transmits that across the interface to theserver. This Kerberos-based key management protocol is therebyimplemented in an efficient way and furthermore allows the server toinitiate the key management session with the use of only an additionalnonce as overhead to the initiation message. Thus the method is highlyefficient in that only a nonce need be used in the authenticationprocess of the initiation message.

In addition to embodiments where the invention is accomplished byhardware, it is also noted that these embodiments can be accomplishedthrough the use of an article of manufacture comprised of a computerusable medium having a computer readable program code embodied therein,which causes the enablement of the functions and/or fabrication of thehardware disclosed in this specification. For example, this might beaccomplished through the use of hardware description language (HDL),register transfer language (RTL), VERILOG, VHDL, or similar programmingtools, as one of ordinary skill in the art would understand. The book “AVerilog HDL Primer” by J. Bhasker, Star Galaxy Pr., 1997 providesgreater detail on Verilog and HDL and is hereby incorporated byreference for all that it discloses for all purposes. It is thereforeenvisioned that the functions accomplished by the present invention asdescribed above could be represented in a core which could be utilizedin programming code and transformed to hardware as part of theproduction of integrated circuits. Therefore, it is desired that theembodiments expressed above also be considered protected by this patentin their program code means as well.

It is noted that embodiments of the invention can be accomplished by useof an electrical signal, such as a computer data signal embodied in acarrier wave, to convey the pertinent signals to a receiver. Thus, wherecode is illustrated as stored on a computer medium, it should also beunderstood to be conveyable as an electrical signal. Similarly, where adata structure is illustrated for a message, it should be understood toalso be capable of being embodied in an electrical signal fortransmission across a medium, such as the internet.

It is also noted that many of the structures and acts recited herein canbe recited as means for performing a function or steps for performing afunction, respectively. Therefore, it should be understood that suchlanguage is entitled to cover all such structures or acts disclosedwithin this specification and their equivalents, including the matterincorporated by reference.

It is thought that the apparatuses and methods of the embodiments of thepresent invention and many of its attendant advantages will beunderstood from this specification and it will be apparent that variouschanges may be made in the form, construction and arrangement of theparts thereof without departing from the spirit and scope of theinvention or sacrificing all of its material advantages, the form hereinbefore described being merely exemplary embodiments thereof.

1. A method of providing key management comprising: providing a server;providing a client configured to be coupled with said server; providinga trusted third party configured to be coupled with said client;allowing said server to initiate a key management session with saidclient by conveying a server key management message comprising aserver_nonce to said client; receiving at said server via said client aclient key management response message comprising a cryptographicmessage comprising a returned_nonce and a ticket; determining if saidclient key management response message should be accepted by said serverby determining whether said returned_nonce matches said server_nonce andwhether said ticket is validated.
 2. The method as described in claim 1wherein said allowing said server to initiate said key managementsession with said client comprises: providing said server_nonce at saidserver; generating said server key management message at said server;conveying said server key management message to said client.
 3. Themethod as described in claim 2 and further comprising: receiving saidserver key management message comprising said server_nonce at saidclient; providing said returned_nonce at said client; generating saidkey management response message at said client comprising saidreturned_nonce; conveying said key management response messagecomprising said returned_nonce to said server.
 4. The method asdescribed in claim 3 and further comprising: predetermining anout-of-bounds value for said returned_nonce to prevent an attacker fromsimulating a server initiated key management session; checking saidreturned_nonce to determine whether the value of said returned_nonce issaid out-of-bounds value.
 5. The method as described in claim 3 andfurther comprising: confirming the value of said returned_nonce at saidserver; and conveying a reply message from said server to said client.6. The method as described in claim 1 and further comprising: receivingfrom said client an attacker induced response message comprising afalse_nonce at said server; determining that said false_nonce is notequivalent to any valid nonce sent by said server to said client;disregarding said client response message as not being sent in responseto a message sent by said server.
 7. A method of providing keymanagement in a Kerberos based system, said method comprising: providinga server; providing a client configured to be coupled with said server;providing a key distribution center configured to act as a trusted thirdparty for said client and said server; generating a server_nonce at saidserver; generating a trigger message to trigger said key management;coupling said trigger message with said server_nonce; conveying saidtrigger message and said server_nonce to said client; initiating a keymanagement session by said server with said client by utilizing saidserver_nonce coupled with said trigger message; receiving at said servera client key management response message comprising a returned_nonce anda ticket issued to said client by said key distribution center. 8.(canceled)
 9. The method as described in claim 7 and further comprising:receiving said trigger message and said server_nonce at said client;generating said client key management response message to said triggermessage at said client; conveying said client key management responsemessage comprising said returned_nonce to said server from said client.10. The method as described in claim 9 and further comprising:confirming the value of said returned_nonce at said server; and thencontinuing with said key management session.
 11. The method as describedin claim 7 and further comprising: receiving at said server said clientkey management response message comprising a false_nonce from saidclient; determining that said false_nonce does not match saidserver_nonce; determining that said server did not initiate said keymanagement session since said false_nonce does not match saidserver_nonce.
 12. A method of initiating a key management session for acable telephony adapter (CTA) and a Signaling Controller in an IPTelephony network, the method comprising: providing said SignalingController; providing said CTA configured to be coupled with saidSignaling Controller; providing a key distribution center (KDC)configured to be coupled with said signaling controller and coupled withsaid KDC; issuing a ticket to said CTA by said KDC; generating a triggermessage at said Signaling Controller; generating a nonce at saidSignaling Controller; coupling said nonce with said trigger message;transmitting said nonce coupled with said trigger message from saidSignaling Controller to said CTA so as to initiate said key managementsession by said Signaling Controller; generating a response message tosaid trigger message comprising said ticket; using the value of saidnonce as the value of a returned_nonce; coupling said response messagewith said returned_nonce; transmitting said returned_nonce and saidresponse message to said Signaling Controller; comparing saidreturned_nonce to said nonce so as to confirm that said response messageis in response to said trigger message and not in response to a messagesent to said client by an attacker; transmitting an AP reply from saidSignaling Controller in reply to said response message; transmitting anSA recovered message from said CTA to said Signaling Controller. 13.(canceled)
 14. A method of confirming that a message received by aserver from a client was triggered by the server: receiving an APrequest message from said client; receiving a client_nonce from saidclient wherein said client_nonce is associated with said AP request;determining whether said client_nonce matches a server_nonce previouslyconveyed from said server to said client.
 15. The method as described inclaim 14 and further comprising: determining that said client_nonce doesnot match said server_nonce conveyed from said server; and thendisregarding said AP request.
 16. The method as described in claim 15and further comprising: awaiting at said client for a reply from saidserver to said AP request; aborting said AP request session after apredetermined time period if no reply is received from said server. 17.The method as described in claim 14 and further comprising: determiningthat said client_nonce does match said server_nonce conveyed from saidserver; and generating an AP reply at said server in response to said APrequest.
 18. A system for providing key management in a Kerberos basedsystem, said system comprising: a server; a client configured to becoupled with said server; a key distribution center configured to act asa trusted third party for said client and said server; computer codecoupled with said server operable to initiate a key management sessionby said server with said client; computer code coupled with said serveroperable to generate a server_nonce at said server; computer codecoupled with said server operable to convey said trigger message andsaid server_nonce to said client.
 19. (canceled)
 20. The system asdescribed in claim 18 and further comprising: computer code coupled withsaid client operable to generate a response message to said triggermessage; computer code coupled with said client operable to convey saidresponse message and a returned_nonce to said server.
 21. The system asdescribed in claim 20 and further comprising: computer code coupled withsaid server operable to confirm the value of said returned_nonce at saidserver.